GDPR Compliance: Time to Face Mission Impossible?

The subject of GDPR compliance continues to be on the lips of many in the information security industry, and rightly so as the regulation promises to revolutionize the way we work and store data.

I recently had the opportunity to gather with four industry figures to get some perspective of some of the main talking points. Jaspreet Singh, CEO and founder of cloud delivery vendor Druva said that GDPR has many forms and factors that affect cloud, and you have to be GDPR compliant to work in the cloud.

He highlighted four areas to consider: where is the data; where is the sensitive information; breach notification; and the right to be forgotten. “Right to be forgotten is a big part for data processors if you keep multiple copies, so how do you clean systems up as it is almost impossible,” he said.

‘Where is my data’, is that one of the main concerns for businesses?

Steve Maltby, director of sales at Oriium said that when data moves out of the perimeter, where does that data sit? “How do you enforce that? We’re working with partners to understand what is on those endpoint devices.”

Neil Stobart, global technical director of Cloudian, said that the challenge is that in the USA there is no single point of law and data protection is ‘down to do the best you can’, and that is in conflict with GDPR.

He added: “So there is going to be concern about using US-owned data centers, as anyone can be subpoenaed and I think the EU is concerned about that. We have a data center provider in Canada who is offering services to US companies. I think the big concern is the US until we get to some sort of agreement, look at what happened with Safe Harbor.”

Darron Gibbard, chief technology security officer at Qualys, said that Privacy Shield did have a good set of model clauses to understand a breach notification perspective. “Privacy Shield may have gone up in flames, but the model clauses are still there. Organizations can still choose to use them to protect data that is leaving via cloud or any mechanism out into other parts of the world.”

So ‘where is my data’ is a key part of GDPR, will it make people care more?

Stobart said he did not believe that it was completely understood what was needed to be done, and that small businesses would not understand it. Gibbard argued that in his previous role in financial services, the program was being driven by the legal aspect, and the C-suite were having conversations about it, and both were focusing on the potential of fines.

“The conversation started early to identify where the data was in and outside the organization, what hosts what system and where it was being transmitted to discover where it all was,” Gibbard said. “So that to me was one of the lengthier parts for an organization and for information security teams to complete, as you’ve got to work out the supply chain, get through to third or fourth parties and understand end-to-end where and how your data is being used and if it is staying in the EU, as organizations are going to struggle.”

How prepared are businesses for GDPR?

Gibbard said he reckoned that 10% of businesses were prepared, while Stobart said that heavily regulated industries will have to be prepared, while smaller businesses will likely struggle. “Until we get a ruling on the number [minimum number of employees] for the need for a data protection officer, it is going to be another concern,” Gibbard warned.

Stobart said he knew of someone who figured that the fine for non-compliance was not as bad as the cost for implementation to ensure compliance, so he was prepared to take the hit. “I bumped into him later and he said he was totally on board with compliance as ‘if we got fined, oh my God!’ and realized he should have done it, as the fines are one of the key things as money always talks.”

Gibbard said that brand impact will also be a consideration, as well as the fine.

Will GDPR bring Europe to a standard being set by some US states in data protection?

Singh said that they are dealing with European data, while US companies are used to dealing with HIPAA, so this is not a huge change.

“The FBI is after you if you have ransomware or a breach, [particularly] if you have not publicly reported it,” he said. “The trouble is if you get breached and don’t disclose it, the same breach is going to impact many other people and your suppliers.”

Gibbard said that a standardized breach notification is issued by the FCA or PRA in financial services, but there are currently no public notifications; and we want to know how organizations are handling our data, where it is going and if it is lost, why it happened. “It is going to be interesting to see how it is handled and even sending access requests, it is going to be a huge task to locate data now.”

Stobart called this ‘almost mission impossible’ when it comes to locating data, as it could be in multiple databases, or in email or a scanned letter. “If I wrote to a company they would see a request from a Mr Neil Stobart and they could run one query and it will identify all of the letters that have been scanned in, and to me that is mission impossible. For a little company, no one is going to do that.”

This brought the discussion back to where data is, and Singh said that the problem is finding the data, and what you can expose as part of the response. “You want processes where you can identify, and notify of a breach,” he said.

Gibbard said that it was ‘up in the air’ in terms of when breaches needed to be notified, as there will be different processes for each country, and determining what was lost. “Customers say how can I understand the device and show them what is there and understand the ‘blast radius’ on what else was compromised,” he said.

The conversation came back round to the point of knowing where data is, and being able to pinpoint it in the event that it needs to be disclosed or investigated. Once again, GDPR affects us all and there is no escaping the demands of the new rules.